aws.iam-role - filter based on trust policy
See original GitHub issueIs your feature request related to a problem? Please describe.
I’m currently using a c7n policy that will auto attach an IAM managed policy to every newly created role. I’d like to do attach it to only IAM roles that have a trusted policy for ec2.amazonaws.com
. Since I cannot do that afaict, I have tagged my non-EC2 iam roles with notEC2
or similar.
Describe the solution you’d like I’d like a new filter that would search through the trusted policy so we can see if an IAM role has a trust relationship with a specific AWS service.
Describe alternatives you’ve considered Using the tag based approach mentioned above.
Additional context
policies:
- name: iam-attach-default-policy
resource: iam-role
description: |
Attach default IAM policy triggered on the cloudtrail event name CreateRole
mode:
type: cloudtrail
events:
- source: iam.amazonaws.com
event: CreateRole
ids: "requestParameters.roleName"
role: cloud-custodian
tags:
application: cloud-custodian
team: sre
env: production
execution-options:
output_dir: s3://bucket/cloud-custodian/output
filters:
- type: no-specific-managed-policy
value: base
- not:
- type: value
key: Path
op: regex
value: ".*aws-service-role.*"
- "tag:notEC2": absent
actions:
- type: set-policy
state: attached
arn: arn:aws:iam::{account_id}:policy/base
Issue Analytics
- State:
- Created 3 years ago
- Comments:7 (4 by maintainers)
Top Results From Across the Web
Filtering findings - AWS Identity and Access Management
The default filtering for the page is to display all active findings. To view archived findings, choose the Archived tab. When you first...
Read more >aws.iam-role — Cloud Custodian documentation
has-specific-managed-policy¶. Filter IAM roles that has a specific policy attached. For example, if the user wants to check all roles with 'admin-policy':.
Read more >Option 2: Configuring an AWS IAM Role to Access Amazon S3
Trust policies allowing IAM user access to S3 bucket. An AWS IAM user created for your Snowflake account is associated with an IAM...
Read more >Ensure IAM role allows only specific services or principals to ...
AWS IAM Console · Open the Amazon IAM console. · Click Roles, and find the role to update. · Click the Trust relationships...
Read more >IAM Role Policy Too Permissive - Trend Micro
Audit · 01 Sign in to the AWS Management Console. · 02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/. · 03 In the left ......
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
we have a specific filter for cross-account on it, internally that does some normalization, although i wonder if the has-statement pr would also be useful here, albeit exposed as trust-statement filter.
the trust document is an attribute of a role